Eighty-four percent of chief legal officers play a role in network security strategy: ACC report

Thirty-eight percent of legal departments expect to increase cyber-related budget

Eighty-four percent of chief legal officers play a role in network security strategy: ACC report
Susanna McDonald, VP and chief legal officer, ACC

Legal departments are playing an increasingly important role in cybersecurity strategy, and chief legal officers in particular are often front and center, with 84 percent of CLOs now playing a key role in the cybersecurity strategy for their organization – up from 76 percent in 2020 – according to a new report.

The report by the Association of Corporate Counsel Foundation, in collaboration with Ernst & Young LLP also found that cybersecurity reports to the CLO in 38 percent of departments surveyed. In fact, 22 percent of companies now have a dedicated cybersecurity lawyer – up from just 12 percent in 2018, while 24 percent indicate that the CLO is a member of the cybersecurity incident response team.

Respondents report growing cross-functional collaboration among legal, IT, security, and other business units to anticipate and effectively respond to cybersecurity threats.

Cybersecurity is seen a regulatory compliance matter, making lawyers ideally suited for this responsibility, according to Susanna McDonald, VP and chief legal officer at ACC.

“The chief legal officer brings strategic and risk management skills and additional data to the table as well,” says McDonald. These skills allow lawyers to help prevent and, if need be, react to cybersecurity situations, she adds.

Businesses face many risks in the event of a data breach, with reputational damage, liability to data subjects, and business continuity being the top three areas of concern for survey respondents.  

“Reputational damage can ultimately lead to a decline in revenues,” says McDonald. “It’s not just about liability to data subjects, but also potential fees and fines that businesses would have to pay to different regulatory agencies,” she adds.

The 2022 State of Cybersecurity Report: An Inhouse-Perspective also found that just 31 percent of legal departments say they are regularly involved in their company’s third-party risk management.

Thirty-eight percent of legal departments now say they are spending more as a result of their approach to cyber, compared to a year ago. This number has increased from just 23 percent in 2015. Fifty percent said this increase was mainly attributed to outside spend (among law firms, ALSPs, and consultants), while 25 percent said the increase was mainly attributed to inside spend (on legal resources exclusively devoted to cybersecurity)

Businesses should be doing more to train their employees in cybersecurity, according to McDonald, with the majority providing training only once per year, and as few as nine percent reporting that training is provided quarterly.

“Just about everybody said they are providing annual training, but I don’t think that is enough,” says McDonald. “Potentially harmful actors have become far more sophisticated with these attacks, making employees the primary target for them, thus increasing the risk to the organization. If organizations really want to get a handle on risk, they are going to have to engage with the employees with more robust training.”

The ACC surveyed 265 companies across 17 industries and 24 countries.

Recent articles & video

BC Court of Appeal overturns ruling requiring disclosure of privileged information on birth alerts

Ontario Superior Court finds Ottawa negligent in response to Uber's entry, damaging taxi industry

BC Supreme Court upholds drivers' liability in car crash injuring cyclist

Ontario Superior Court orders child's return from Alberta in custody dispute

Alberta court rules expert evidence inadmissible following settlement in medical negligence case

New metric developed to assess socioeconomic challenges of US law school applicants

Most Read Articles

Alberta court refuses to stay bankruptcy proceedings in favour of family law proceedings

New CRA audit powers proposed in federal budget raise uncertainty, say Davies tax lawyers

Mergers and acquisitions in the AI space need unique due diligence considerations: Dentons lawyers

Poilievre's plan to trample Charter rights won't stop at tough-on-crime measures